Babel, (Genesis 11:1-9) is a good analogy for this past week. Imagine the cacophony that could be heard after the language was confused. Our most significant contribution to the InfoSec community this year took place with the publication of the latest edition of our Data Breach Investigations Report (DBIR).  One of the Risk Team’s key messages is: “Focus on the threats.” There is a flood of vulnerability data (not intelligence). It doesn’t matter unless some criminal or other threat uses it and causes loss. The DBIR provides threat intelligence in spades.  The “.LNK” vulnerability is near the top of most InfoSec pros anxiety list but it hasn’t “gone big”. However, the Zeus gang has adopted it and they are a threat.  The American Bankers Association is telling customers their members alone can’t protect consumers’ accounts and that by “partnering” it is possible to shift some of the defensive burden onto individuals (customers) to monitor their own accounts on a “continuous, almost daily basis.” Our colleague William H. Murray drilled the Risk Team years ago, “it’s the data!” Wikileeks is painfully drilling that lesson into the US Military with no regard for the consequences. The vulnerability noise from Nevada was insignificant compared to the threat and impact lessons of the week.

Get it here.

As many of you know, we publish a series of reports covering forensic engagements worked by Verizon’s Investigative Response team. For the past several years we’ve dug into the who, what, when, where, how, and why of organizational data breaches and passed our findings on to you in the DBIR. We’re big proponents of the belief that you can’t manage what you can’t measure and so are always looking for better ways to measure factors critical to managing security. Analyzing first-hand evidence collected during breach investigations offers a rare and powerful chance to do this.

We’ve already announced that this year’s DBIR is a joint effort between Verizon and the U.S. Secret Service. We hope you’ll benefit from (and enjoy) the results, analysis, recommendations, and commentary in the report. However, we also hope that you will recognize it as a proof point that sensitive data can be shared anonymously, responsibly, securely, and effectively between organizations. Our field is in desperate need of more high-quality accessible data and collaborating among ourselves is the only way we’re going to get there.

This report is interesting in terms of analyzing trends. Last year, we reported on our own caseload. This year, we added an entirely new dataset. It shouldn’t be surprising that this changed some of our results substantially. We discuss these changes and potential reasons for them throughout the report. Equally interesting to the those changes, however, are the results that didn’t change. We’ve always wondered (and so have you) whether certain findings were unique to Verizon’s caseload or truly indicative of the general population. The fact that Secret Service data shows many results that are very similar to our own is a compelling revelation.

(more…)

As you may remember, we released a beta version of the VERIS framework back in March. Since then, we’ve received helpful feedback from the public as well as organizations that have begun to implement and use VERIS. We’ve updated VERIS accordingly and now believe it is ready to move from beta to version 1. Starting today, you can access v1 at the new VERIS wiki.

This does not mean that VERIS is final; in fact, it never will be. It is meant to be an evolving framework that reflects current community input. The wiki will allow anyone to comment, post suggestions, or otherwise discuss the various elements of VERIS. This will help ensure that the framework remains a useful and viable structure for information sharing within the security community. We invite you to participate.

For those of you not familiar with VERIS, it is a set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner. It is what we use to collect and analyze case details for the Data Breach Investigations Report. The overall goal is to create a foundation for data-driven decision-making and risk management. You can view an executive summary here.

Finally, we would be remiss if we did not give a heads up on the imminent release of the 2010 DBIR. It will be released this Wednesday, July 28. VERIS is what allowed data sharing between Verizon and the United States Secret Service and we look forward to sharing our findings with you.

Tuesday, September 21st, 1976: The classic M*A*S*H* hour-long “Bug Out” episode aired. What’s that got to do with InfoSec risk this week? Not a blessed thing, and that’s the point. There’s a new vulnerability in Windows and there’s malware in the wild exploiting it. But this is not the time to strike the tents, jump in the trucks and beat feet. It’s just another worm folks. In a year we’ll remember it about as well as we remember Conficker. The silver lining might be torque on bean-counters’ arms to free up the bucks (Euro, Yen, Pounds, Riyals) to finally ditch XPSP2. Microsoft, Google and others came out with “Coordinated Vulnerability Disclosure,” and ditching the expression “responsible disclosure” in the process. Good luck with that. Society has yet to establish an accepted norm for IT vulnerability handling. Ideally this new effort will accomplish that, but there will always be individuals who reject the social contract for their own selfish, irresponsible reasons.

I was reading Richard Bejtlich’s blog today on Computer Security Incident Response Teams and he quoted the following from Gartner’s report “How to Build a Computer Security Incident Response Team”:

“A competent and adequately resourced CSIRT is an important part of an organization’s information security program. Many organizations either have nothing in place or follow inconsistent procedures. In many organizations, the goal is to recover from an incident and get back up and running with minimal attention being paid to evidence collection, analysis or postmortem reporting. Over the long term, this approach results in more security events, not fewer, as the organization is unable to discern the root causes of incidents and incorporate these lessons learned into improvements in infrastructure and process management.”

We wholeheartedly agree.  In fact, this is EXACTLY why we released the Verizon Enterprise Risk and Incident Sharing framework (external link) for you to use.  Our hope is that the VERIS framework(1) and our Data Breach Investigations Report(2) is just what you need to mature incident analysis and post-incident reporting.   (more…)

Researchers at CA have an analysis for an update to the Zeus Trojan/Kit, and Kaspersky has an analysis of the Black Energy DoS malware and they are the most useful risk intelligence updates this week. Malware and other InfoSec blogs are buzzing about a new rootkit that uses “.lnk” files to run from a USB drive. Scary images of SCADA system infections and so-called (0-day) make for great press but lousy risk intelligence. Whatever it is, it isn’t “in the wild” in a meaningful way and like most just-discovered malware evolutions, it doesn’t run reliably. Microsoft and Oracle released updates and the former says 25K systems have reported attempted attacks using CVE-2010-1885 vulnerability. Note: these were not compromises and the hype surrounding this issue will finally diminish. Secunia says this could be the worst year ever for vulnerabilities, but somebody forgot to tell US-CERT’s National Vulnerability Database where this year might be 5% ahead of last year. Black Hat and Defcon hype continues unabated; it’s about attendance, sponsors and revenue–it’s not about risk. “You’re known by the company you keep.” Fine. Go to Las Vegas, but make it like a trip to the zoo or prison.

The week kicked off with attacks on YouTube , Wikipedia, iTunes, Russian banks and their customers and at least two attacks on Facebook users.  Hindsight may remember the most risk-significant development this week was EMC began shutting down their Atmos Online cloud. Next week we expect four Microsoft security bulletins covering five vulnerabilities, including Tavis Ormandy’s socialization demonstration.  Oracle will release their July CPU for 59 vulnerabilities including 21 in Solaris.  Without a security advisory, Cisco released a software update to their Adaptive Security Appliance 5580 –paying attention to version release notes pays off.  The Signal:Noise ratio in InfoSec news was remarkably poor last week, and it’s forecast to only get worse in the run up to several conferences.  Just because something “could” happen doesn’t mean it will happen. Don’t buy any anti-asteroid umbrellas and don’t lose sleep over minutiae whose primary purpose is attracting attention with no impact on risk in the world we are in.

Recently, there’s been no small amount of discussion about how the government can help defend cyber-space from catastrophic cyber-risks.  Many folks are saying that we (infosec) could have our own “Black Swan” moment and a sortof “kill switch” might provide a defense against attack.

The problem is this:  If you’re reading Nassim Taleb, and coming away with the idea that a Black Swan is a low-likelihood/high-impact event, you’re mistaken.  This is a false characterization.  I will red-card the next person who suggests such.

Rather, Black Swans are better characterized as events for which your prior distributions are COMPLETELY uninformative. BIG difference.  Oil spills, EMP disruptions, Hurricane Strength and Levy Failure, even Economic Bubbles, these all have prior distributions that, in terms of either likelihood or impact (or both) I would characterize as relatively informative at some level of abstraction.  To further press the point, regarding real “Black Swans”, the impact of a Rumsfieldian Unknown/Unknown may or may not be “high” (we just tend to worry about high-impact stuff).

(more…)

“Wanted: Eleven power users for international espionage positions in the United States; parenting skills and fluency in English and Russian a plus.” The Russian spies’ IT issues have distracted the technology media like a cat and a laser pointer. Those of us with Cold War Recognition Certificates have broader perspectives and are recalling KGB is now spelled SVR. The good news is the FBI’s counterintelligence agents have been on some of them for seven years. Russia may expel or arrest US “agents” to complete the tit-for-tat; the bad old days never left. In more routine InfoSec risk events: Adobe patched Acrobat and Reader but some risk may remain. Microsoft, GData and Symantec reported escalating attacks on Tavis Ormandy’s attention-seeking behavior. July 13th is due to be a monster patch Tuesday with Microsoft and Oracle (think Sun too) scheduled updates; an early, out-of-cycle patch for Help and Support Center might simplify patch management and provide more protection. The bad news, especially in hindsight, may turn out to be what’s happening to Frito-Lay. Multimillion dollar losses. How do we protect our principals from that?